Lucene search

Redhat.comRH:CVE-2024-45506

HistorySep 04, 2024 - 4:15 p.m.

CVE-2024-45506

2024-09-0416:15:46

redhat.com

access.redhat.com

haproxy

version 2.9.x

version 3.0.x

version 3.1.x

denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.009

Percentile

82.6%

JSON

A flaw was found in HAProxy. An issue in the HTTP/2 multiplexer combined with the zero-copy forwarding system allows remote attackers to trigger under very rare conditions an endless loop and cause a denial of service.

Mitigation

Disable the zero-copy forwarding system to mitigate this issue. Add the following configuration directive in the global section:

global  
  ...  
  tune.h2.zero-copy-fwd-send off

References

bugzilla.redhat.com/show_bug.cgi?id=2309732

git.haproxy.org/?p=haproxy-3.0.git;a=commitdiff;h=c725db17e8416ffb3c1537aea756356228ce5e3c

git.haproxy.org/?p=haproxy-3.0.git;a=commitdiff;h=d636e515453320c6e122c313c661a8ac7d387c7f

nvd.nist.gov/vuln/detail/CVE-2024-45506

www.cve.org/CVERecord?id=CVE-2024-45506

www.haproxy.com/blog/cve-2024-45506

www.mail-archive.com/haproxy%40formilux.org/msg45280.html

www.mail-archive.com/haproxy%40formilux.org/msg45281.html

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.009

Percentile

82.6%

JSON

Related for RH:CVE-2024-45506